You are about connecting new field devices to your IoT infrastructure. In order to restrict and control access to IoT Hub’s resources, as a security solution you are going to use SAS tokens based on symmetric keys. 
Which one of the following is not required to generate a SAS token?

Answer options:

A.device’s symmetric key
B.time of expiry
C.X.509 certificate
D.resource uri

Correct Answer: C
Option A is incorrect because to get authorized to connect to IoT Hub, devices use their primary key stored in the hub’s identity registry.
Option B is incorrect because security tokens are limited in time validity, therefore an expiry time must be set.
Option C is CORRECT because using X.509 certificates is a different way of authenticating devices with IoT Hub, and it is based on asymmetric keys, while you are going to use symmetric keys.
Option D is incorrect because security tokens are limited in scope (they grant access only to selected IoT Hub resources), therefore the uri of the given resources must be given.
Diagram: 
# sample token generator 
<pre class="brush:java;">def create_sas_token(uri, key, policy, expiry=7200):
ttl = time() + expiry
signing_key = "%s\n%d" % ((parse.quote_plus(uri)), int(ttl))
signature = b64encode(HMAC(b64decode(key), signing_key.encode(`utf-8`), sha256).digest())
raw_token = {
`sr` :uri,
`sig`: signature,
`se` : str(int(ttl))
}
if policy is not None:
raw_token[`skn`] = policy
return `SharedAccessSignature ` + parse.urlencode(raw_token)
</pre>
Reference: 

https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#use-a-symmetric-key-in-the-identity-registry